About Us |
Contact Us |
LexisNexis Business Solutions
Just a few weeks ago, the GFMI conference brought together experts and leaders from across the financial services industry to share their strategies and insights in managing risk. Naturally, due diligence and third-party risk featured heavily in discussions, but in a reflection of the complex environment in which financial services organizations operate, fourth-party risk was, perhaps, one of the hottest topics. Why? Just as pressure has ramped up on other industries to thoroughly vet their entire supply chains down to the raw materials to bring forced labor into the light, pressure is growing for financial organizations to identify risk in outsourced services.
One interesting presentation on the topic of fourth-party risk during the GFMI Conference came from Philip Edwards, Chief Procurement Office at Synovus Financial Corp. He pointed out that while regulators apply a broad definition to third-party risk, in recent years they have increasingly used language suggestive of fourth parties. In particular, the guidance from the Office of the Comptroller of the Currency (OCC) changed significantly. The current 2013-29 guidance uses the terms ‘subcontractor’ or ‘subcontracting’ 34 times while the same terms only appeared four times in the 2011-47 guidance. And the OCC is not the only regulatory body highlighting the necessity to conduct more far-reaching due diligence to manage risk. The FDIC has indicated that “Contracting for a technology solution by using one lead provider may lessen [institutions direct involvement]…, but it does not diminish the responsibility for monitoring … subcontractors through the primary service provider relationship.”
Moreover, the high-profile data security breaches that have taken place in recent years only emphasize the importance of knowing who your third-party vendors use as sub-contractors. A few years ago, in an interview with FierceFinanceIT , Albert Belman, principal for third-party risk management practice at Booz Allen Hamilton said, “What has happened for services providers, very specifically in financial services, is the recognition that you need to have a data supply chain. If you are going to allow third parties to access your data, and they are going to, in turn, allow access to other third parties, you are going to need to have a full line of sight and visibility into that.” Are you just a cyber-breach away from a financial and reputational disaster caused by a third or even fourth party subcontractors and agents? What other risks may these outsourced relationships pose?
Of course, conducting due diligence on how organizations can incorporate fourth-party risk management in their due-diligence process. Here are some steps recommended in the presentation:
Are you making changes in your own due-diligence strategy to address fourth-party risk? Leave a comment below to let us know how you’re doing it.
Minimizing Risk in the Financial Services Industry Demands you Conduct Due Diligence Beyond Third Parties: Addressing Fourth Party Risk